Key exchange device, key exchange system, key exchange method, and key exchange program

ABSTRACT

On the assumption that i≠s, j is the number of times a key exchange is performed, and k is any one of integers greater than or equal to 0 and less than j, a key exchange device includes: a shared secret key storage in which shared secret information mkik which is information different from a secret key of the key exchange device is stored; an authentication information addition unit that generates authentication information σi, by which authentication is performed and falsification is detected, for key exchange information ei, which is output to the outside, by using the shared secret information mkik; and an authentication information verification unit that receives key exchange information es and authentication information σs corresponding to the key exchange information es from the outside, verifies the authentication information σs using the shared secret information mkik, and, if the authentication information σs is not successfully verified, stops a key exchange, and the shared secret information mkik is a value that is used in a generation process in a key exchange.

TECHNICAL FIELD

The present invention relates to a communication device that communicates with another communication device and a communication system, which the communication device executes, in a key exchange technique in the field of information communications.

BACKGROUND ART

As a technique of sharing the same key (a session key), which is used for encryption and so forth, between a plurality of devices, there is a key exchange protocol. In some of the key exchange protocols, a session key is exchanged using a secret key (a long-term secret key) which is used for a long term.

As one example thereof, there is a two-round dynamic multi-cast key distribution protocol (hereinafter also referred to as a KY protocol; see Non-patent Literature 1). The use of the KY protocol makes it possible to efficiently exchange a session key again in accordance with a user's dynamic change (for example, participating in or leaving a call or message group). In addition, the feature of the KY protocol is that, no matter how large the number of users becomes, each user's costs (such as calculation costs and communication costs) required for a key exchange are constant.

PRIOR ART LITERATURE Non-Patent Literature

Non-patent Literature 1: K. Yoneyama, R. Yoshida, Y. Kawahara, T. Kobayashi, H. Fuji, and T. Yamamoto: “Multi-cast Key Distribution: Scalable, Dynamic and Provably Secure Construction”, Proc. of ProvSec 2016, pp. 207-226, Nanjing, China, Nov. 2016.

SUMMARY OF THE INVENTION Problems to be Solved by the Invention

In a protocol in which a key exchange is performed using a long-term secret key, after a long-term secret key is leaked to an attacker, the attacker can sometimes make an attack by participating in a key exchange by posing as the device from which the long-term secret key was leaked. Then, after a long-term secret key in a key exchange technique is leaked, a session key is leaked by spoofing.

For example, also in the KY protocol, an attacker can acquire a session key after a long-term secret key is leaked. The KY protocol uses a star network in which a plurality of users communicate with a server which is the center of the network. At the time of a key exchange, the users and the server perform a session key exchange between the users by using long-term secret keys and short-term secret keys. However, the long-term secret key is stored on nonvolatile memory for a long time and used. Therefore, it is necessary to store the long-term secret key securely in such a way that the long-term secret key is not leaked to an attacker. The security of the KY protocol has the following features:

-   1. Ephemeral key exposure resilience: Even when a short-term secret     key of a user is leaked, a session key before the leakage is secure; -   2. Time-based backward secrecy: Even when session keys before and     after a certain session key are leaked, it is impossible to infer     the certain session key itself; and -   3. Strong server key forward secrecy: Even when a long-term secret     key of a user or the server is leaked, a session key of a session     completed before the leakage is secure.

As described in 3. above, in the KY protocol, even when a long-term secret key is leaked, information on a session key shared in a session conducted before the leakage is not leaked. However, there is a possibility that a session key shared in a session that is conducted after the long-term secret key is leaked falls into the hands of an attacker. Specifically, if a long-term secret key of the server is leaked, the attacker can participate in a key exchange, posing as the server. After the attacker poses as the server, a session key is shared also with the attacker, who secretly participates in a key exchange when a session is conducted between the users. Moreover, if a long-term secret key of a user is leaked, the attacker can participate in a session, posing as the user, which causes a session key to be shared with the attacker.

As described above, in actuality, key exchange protocols include a protocol in which an attacker acquires a session key after a long-term secret key is leaked to the attacker. Under the present circumstances, a case where information is leaked due to a break-in into a server, a user terminal, or the like is easily conceivable. To prevent such a problem, the server and users have to store a long-term secret key securely so as not to leak the long-term secret key. Secure storage becomes a burden on the server and users.

An object of the present invention is to provide a key exchange device, a key exchange system, a key exchange method, and a key exchange program that can prevent a session key from being inferred after a long-term key is leaked.

Means to Solve the Problems

To solve the above-described problem, according to an aspect of the present invention, on the assumption that i≠s, j is the number of times a key exchange is performed, and k is any one of integers greater than or equal to 0 and less than j, a key exchange device includes: a shared secret key storage in which shared secret information mk_(i) ^(k) which is information different from a secret key of the key exchange device is stored; an authentication information addition unit that generates authentication information σ_(i), by which authentication is performed and falsification is detected, for key exchange information e_(i), which is output to the outside, by using the shared secret information mk_(i) ^(k); and an authentication information verification unit that receives key exchange information e_(s) and authentication information σ_(s) corresponding to the key exchange information e_(s) from the outside, verifies the authentication information σ_(s) using the shared secret information mk_(i) ^(k), and, if the authentication information σ_(s) is not successfully verified, stops a key exchange. The shared secret information mk_(i) ^(k) is a value that is used in a generation process in a key exchange.

To solve the above-described problem, according to another aspect of the present invention, a key exchange system includes a key exchange server device and n key exchange devices i. On the assumption that i≠s, i=1, 2, . . . , n, j is the number of times a key exchange is performed, and k is any one of integers greater than or equal to 0 and less than j, each key exchange device i includes: a shared secret key storage in which shared secret information mk_(i) ^(k) which is information different from a to secret key of the key exchange device i is stored; an authentication information addition unit that generates authentication information σ_(i), by which authentication is performed and falsification is detected, for key exchange information e_(i), which is output to the outside, by using the shared secret information mk_(i) ^(k); and an authentication information verification unit that receives key exchange information e_(s_i) and authentication information σ_(s_i) corresponding to the key exchange information e_(s_i) from the outside, verifies the authentication information σ_(s i) using the shared secret information mk_(i) ^(k), and, if the authentication information σ_(s_i) is not successfully verified, stops a key exchange. The key exchange server device includes: a second shared secret key storage in which shared secret information mk₁ ^(k), . . . , mk_(n) ^(k) which is information different from a secret key of the key exchange server device is stored; a second authentication information addition unit that generates authentication information σ_(s_1), . . . , σ_(s_n), by which authentication is performed and falsification is detected, for key exchange information e_(s_1), . . . , e_(s_n), which is output to the outside, by using the shared secret information mk₁ ^(k), . . . , mk_(n) ^(k); and a second authentication information verification unit that receives key exchange information e₁, . . . , e_(n) and authentication information σ₁, . . . , σ_(n) corresponding to the key exchange information e₁, . . . , e_(n) from the outside, verifies the authentication information σ₁, . . . , σ_(n) using the shared secret information mk₁ ^(k), . . . , mk_(n) ^(k), and, if certain authentication information is not successfully verified, stops a key exchange which is performed between the key exchange server device and a key exchange device whose authentication information has not been successfully verified.

To solve the above-described problem, according to still another aspect of the present invention, a key exchange method uses a key exchange device. On the assumption that i≠s, k is any one of integers greater than or equal to 0, and, in a shared secret key storage of the key exchange device, shared secret information mk_(i) ^(k) which is information different from a secret key of the key exchange device is stored, the key exchange method includes: an authentication information addition step in which the key exchange device generates authentication information σ_(i), by which authentication is performed and falsification is detected, for key exchange information e_(i), which is output to the outside, by using the shared secret information mk_(i) ^(k); and an authentication information verification step in which the key exchange device receives key exchange information e_(s) and authentication information σ_(s) corresponding to the key exchange information e_(s) from the outside, verifies the authentication information σ_(s) using the shared secret information mk_(i) ^(k), and, if the authentication information σ_(s) is not successfully verified, stops a key exchange.

To solve the above-described problem, according to yet another aspect of the present invention, a key exchange method uses a key exchange server device and n key exchange devices i. On the assumption that i≠s, i=1, 2, . . . , n, k is any one of integers greater than or equal to 0, in a shared secret key storage of each key exchange device i, shared secret information mk_(i) ^(k) which is information different from a secret key of the key exchange device i is stored, and, in a shared secret key storage of the key exchange server device, shared secret information mk_(i) ^(k), . . . , mk_(n) ^(k) which is information different from a secret key of the key exchange server device is stored, the key exchange method includes: an initial shared secret key sharing step in which the key exchange server device and the n key exchange devices i share the shared secret information mk_(i) ^(k); an authentication information addition step in which the key exchange device i generates authentication information σ_(i), by which authentication is performed and falsification is detected, for key exchange information e_(i), which is output to the outside, by using the shared secret information mk_(i) ^(k); a second authentication information verification step in which the key exchange server device receives key exchange information e₁, . . . , e_(n) and authentication information σ₁, . . . , σ_(n) corresponding to the key exchange information e₁, . . . , e_(n) from the outside, verifies the authentication information σ₁, . . . , σ_(n) using the shared secret information mk₁ ^(k), . . . , mk_(n) ^(k), and, if certain authentication information is not successfully verified, stops a key exchange which is performed between the key exchange server device and a key exchange device whose authentication information has not been successfully verified; a second authentication information addition step in which the key exchange server device generates authentication information σ_(s_1), . . . , σ_(s n), by which authentication is performed and falsification is detected, for key exchange information e_(s_1), . . . , e_(s_n), which is output to the outside, by using the shared secret information mk₁ ^(k), . . . , mk_(n) ^(k); and an authentication information verification step in which the key exchange device i receives key exchange information e_(s_i), and authentication information σ_(s_i) corresponding to the key exchange information e_(s_i) from the outside, verifies the authentication information σ_(s_i) using the shared secret information mk_(i) ^(k), and, if the authentication information σ_(s_i) is not successfully verified, stops a key exchange.

Effects of the Invention

According to the present invention, it is possible to prevent a session key from being inferred after a long-term key is leaked.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a configuration diagram of a key exchange system according to a first embodiment.

FIG. 2 is a functional block diagram of a key exchange server device according to the first embodiment.

FIG. 3 is a functional block diagram of a key exchange device according to the first embodiment.

DETAILED DESCRIPTION OF THE EMBODIMENTS

Hereinafter, embodiments of the present invention will be described. It is to be noted that, in the drawings which are used in the following description, component units having the same function and steps in which the same processing is performed are identified with the same characters and overlapping explanations are omitted. In the following description, symbols such as “∧” and “˜” which are used in text are supposed to be written directly above the immediately preceding letters, but, due to a restriction imposed by text notation, they are written in positions immediately following these letters. In formulae, these symbols are written in their proper positions. Moreover, it is assumed that lo processing which is performed element by element of a vector and a matrix is applied to all the elements of the vector and the matrix unless otherwise specified.

<Point of a First Embodiment>

In a first embodiment, a key exchange protocol is proposed in which authentication using two types of information, information (shared secret information =a MAC key) used in the course of an earlier session key exchange and a long-term secret key, is performed to prevent an attacker from posing as a user or a server.

In the present embodiment, a fixed shared secret information scheme will be described.

In the present embodiment, the following steps are added to the existing key exchange protocol before a key exchange step.

(Initial Shared Secret Key Sharing Step)

A key exchange device and another key exchange device between which a key exchange is performed create long-term secret keys SSKs and long-term public keys SPKs of their own only when they do not have long-term secret keys which can be used for authentication, store the SSKs, and exchange the SPKs while preventing falsification using a technique such as PKI. Then, the key exchange device and the other key exchange device between which a key exchange is performed perform key sharing while adding information that prevents spoofing and falsification by using the long-term secret keys SSKs of their own, share an initial shared secret key mk_(i) ⁰, and store the initial shared secret key mk_(i) ⁰.

Next, the step is modified as follows at the time of transmission and reception, which are performed between key exchange devices, in the existing key exchange algorithm.

(Transmission-Reception-Time Step in a Key Exchange)

Assume that a j-th key exchange is performed between a key exchange device 200-i and another key exchange device 200-m between which a key exchange is performed. In this case, at the time of transmission of information, each key exchange device transmits information which is necessary between the key exchange devices after adding information thereto for detection of spoofing and falsification by using a shared secret key mk_(i) ^(k) (0≤k<j) in a key exchange performed prior to the j-th key exchange. At the time of reception of information, each key exchange device first checks the information for spoofing and detection by using the shared secret key mk_(i) ^(k); if the information is not correct, each key exchange device stops the key exchange algorithm and, if the information is correct, each key exchange device continues the key exchange algorithm.

It is to be noted that the present embodiment is based on the assumption that, at the time of the initial shared secret key sharing step, the algorithm can be ended properly without attacker involvement. As the transmission-reception-time step in a key exchange, a key exchange device and another key exchange device between which a key exchange is performed add, to information which is to be transmitted therebetween, information for preventing spoofing and falsification by using the SSKs of their own and the shared secret key mk_(i) ^(k) in a key exchange performed prior to the j-th key exchange. Thus, even when a long-term secret key is leaked, since the shared secret key mk_(i) ^(k) is securely stored, an attacker cannot forge information for detecting spoofing and falsification in each communication at the time of a key exchange. This makes it possible for the key exchange device and the other key exchange device between which a key exchange is performed to prevent spoofing by an attacker. Therefore, it is possible to solve the problem of leakage of a session key which is caused by leakage of a long-term secret key.

<Notation System>

Hereinafter, the notation system of symbols which are used in the present embodiment will be described.

-   U:={u₁, u₂, . . . , u_(N)} A set of users belonging to a group -   u:={u₁, u₂, . . . , u_(n)|u_(i) ∈ U} A set of users who participate     in a key exchange. -   It is assumed that all or some of the users belonging to the group     participate in a key exchange. Thus, n≤N. -   (sk_(i), pk_(i)) A secret key and a public key of u_(i) -   (sk_(s), pk_(s)) A secret key and a public key of a server -   mk_(i) ^(j) A shared secret key (in the present embodiment, a     message authentication code (MAC) key generated with a security     parameter k) in a j-th key exchange, which is shared between u_(i)     and the server -   p A prime number -   G A finite cyclic group of order p -   g, h Generators of G -   κ (A security parameter -   Kspace_(κ) A κ-bit key space -   TCR: {0, 1}*→{0, 1}^(κ) A target-collision resistant hash function -   tPRF: {0, 1}^(κ)×Kspace_(κ)×Kspace_(κ)×{0, 1}^(κ)→Z_(p) A twisted     pseudo-random function (see Reference Literature 1) -   tPRF′: {0, 1}^(κ)×Kspace_(κ)×Kspace_(κ)×{0, 1}^(κ)→Z_(p) A twisted     pseudo-random function -   F: {0, 1}^(κ)×G→Z_(p) ² A pseudo-random function -   F′: {0, 1}^(k)×Z_(p)→Kspace_(κ) A pseudo-random function -   F″: {0, 1}^(κ)×Kspace_(κ)→{0, 1}^(κ) A pseudo-random function -   F′″: {0, 1}^(κ)×Kspace_(κ)→Z_(p) A pseudo-random function -   TF_(ti):={time_(ti_1); time_(ti_2), . . . , time_(ti_tn)} A set of     times in a specific segment (Time Frame), ti=1, 2, . . . , fn -   TF:={TF₁, TF₂, . . . , TF_(fn)} A set of Time Frames -   PRF: {0, 1}*→{0, 1}^(κ) A pseudo-random function -   (Reference Literature 1) Atsushi Fujioka, Koutarou Suzuki, Keita     Xagawa, and Kazuki Yoneyama. “Strongly secure authenticated key     exchange from factoring, codes, and lattices”. Des. Codes     Cryptography, 76(3):469-504, 2015.

First Embodiment

FIG. 1 is a configuration diagram of a key exchange system according to the first embodiment.

The key exchange system includes a key exchange server device 100 and n key exchange devices 200-i. The devices are connected via a communication line or the like and can communicate with each other. It is assumed that i=1, 2, . . . , n.

The key exchange server device 100 and the n key exchange devices 200-i are each a special device configured as a result of a special program being read into a publicly known or dedicated computer including, for example, a central processing unit (CPU), a main storage unit (random access memory: RAM), and so forth. The key exchange server device 100 and the n key exchange devices 200-i each execute each processing under the control of the central processing unit, for example. The data input to the key exchange server device 100 and the n key exchange devices 200-i and the data obtained by each processing are stored in the main storage unit, for instance, and the data stored in the main storage unit is read into the central processing unit when necessary and used for other processing. At least part of each processing unit of each of the key exchange server device 100 and the n key exchange devices 200-i may be configured with hardware such as an integrated circuit. Each storage of each of the key exchange server device 100 and the n key exchange devices 200-i can be configured with, for example, a main storage unit such as random access memory (RAM), an auxiliary storage unit configured with a hard disk, an optical disk, or a semiconductor memory device such as flash memory, or middleware such as a relational database or a key-value store.

FIG. 2 shows a functional block diagram of the key exchange server device 100. The key exchange server device 100 includes a secret key storage 101, a shared secret key storage 102, a key exchange algorithm unit 103, an authentication information verification unit 104, an authentication information addition unit 105, and a shared secret key sharing unit 106. First, the outline of processing which is performed in each unit will be described.

<Secret Key Storage 101>

In the secret key storage 101, a secret key of the key exchange server device 100 is stored.

<Shared Secret Key Storage 102>

In the shared secret key storage 102, shared secret information mk₁ ^(k−1), . . . , mk_(n) ^(k−1), which is information different from the secret key of the key exchange server device 100 and can be shared with the key exchange devices 200-i, is stored. In the present embodiment, k−1=0 to fix the shared secret information.

<Key Exchange Algorithm Unit 103>

The key exchange algorithm unit 103 accepts key exchange information e₁, . . . , e_(n) from the outside (the key exchange devices 200-i) as input, outputs related information x, which is generated in the course of a key exchange, to the shared secret key sharing unit 106, and outputs key exchange information e_(s_1), . . . , e_(s_n), which is necessary for a key exchange, to the outside (the key exchange devices 200-i).

<Authentication Information Verification Unit 104>

The authentication information verification unit 104 verifies, using authentication information σ₁, . . . , σ_(n) from the outside (the key exchange devices 200-i) as input, the authentication information σ₁, . . . , σ_(n) by using the shared secret information mk₁ ^(k−1), . . . , mk_(n) ^(k−1). If certain authentication information is not successfully verified, the authentication information verification unit 104 stops the key exchange algorithm which is executed between the key exchange server device 100 and the key exchange device whose authentication information has not been successfully verified.

<Authentication Information Addition Unit 105>

The authentication information addition unit 105 generates, using the key exchange information e_(s_1), . . . , e_(s_n) output from the key exchange algorithm unit 103 as input, authentication information σ_(s_1), . . . , σ_(s_n), by which authentication is performed and falsification is detected, for the key exchange information e_(s_1), . . . , e_(s_n) by using the shared secret information mk₁ ^(k−1), . . . , mk_(n) ^(k−1) and outputs the authentication information σ_(s_1), . . . , σ_(s_n) to the key exchange algorithm unit 103.

<Shared Secret Key Sharing Unit 106>

The shared secret key sharing unit 106 obtains, using the related information x which is output by the key exchange algorithm unit 103 as input, shared secret information mk₁ ^(k), . . . , mk_(n) ^(k) by using the secret key and the shared secret information mk₁ ^(k−1), . . . , mk_(n) ^(k−1) and stores the shared secret information mk₁ ^(k), . . . , mk_(n) ^(k) in the shared secret key storage 102.

Next, the key exchange devices 200-i will be described.

FIG. 3 is a functional block diagram of each key exchange device 200-i. The n key exchange devices 200-i each include a secret key storage 201, a shared secret key storage 202, a key exchange algorithm unit 203, an authentication information verification unit 204, an authentication information addition unit 205, and a shared secret key sharing unit 206. First, the outline of processing which is performed in each unit will be described.

<Secret Key Storage 201>

In the secret key storage 201, a secret key of the key exchange device 200-i is stored.

<Shared Secret Key Storage 202>to In the shared secret key storage 202, shared secret information mk_(i) ^(k), which is information different from the secret key of the key exchange device 200-i and can be shared with the key exchange server device 100, is stored.

<Key Exchange Algorithm Unit 203>

The key exchange algorithm unit 203 accepts key exchange information e_(s_i) from the outside (the key exchange server device 100) as input, outputs related information x, which is generated in the course of a key exchange, to the shared secret key sharing unit 206, and outputs key exchange information e_(i), which is necessary for a key exchange, to the outside (the key exchange server device 100).

<Authentication Information Verification Unit 204>

The authentication information verification unit 204 verifies, using authentication information σ_(s_i) from the outside (the key exchange server device 100) as input, the authentication information σ_(s_i) of the key exchange algorithm unit 203 by using shared secret information mk_(i) ^(k−1). If the authentication information σ_(s_i) is not successfully verified, the authentication information verification unit 204 stops the key exchange algorithm which is executed between the key exchange device 200-i and the key exchange server device 100.

<Authentication Information Addition Unit 205>

The authentication information addition unit 205 generates, using the key exchange information e, output from the key exchange algorithm unit 203 as input, authentication information σ_(i), by which authentication is performed and falsification is detected, for the key exchange information e_(i) of the key exchange algorithm unit 203 by using the shared secret information mk_(i) ^(k−1) and transmits the authentication information σ_(i) to the key exchange algorithm unit 203.

<Shared Secret Key Sharing Unit 206>

The shared secret key sharing unit 206 obtains, using the related information x, which is generated in the course of a key exchange in the key exchange algorithm unit 203, as input, shared secret information mk₁ ^(k), . . . , mk_(n) ^(k) by using the secret key and the shared secret information mk_(i) ^(k−1) and stores the shared secret information mk₁ ^(k), . . . , mk_(n) ^(k) in the shared secret key storage 202 of the key exchange device 200-i.

Hereinafter, the processing details of each unit will be described along the processing flow.

In the first embodiment, a KY protocol-based applied protocol is proposed. Like the KY protocol, the present applied protocol is configured with five phases: {Setup, Dist, Join, Leave, Update}. Although similar adaptation can also be made to {Join, Leave, Update} phases, only Setup and Dist phases will be described. Moreover, in the present applied protocol, a PKI-based KY protocol will be described on the assumption that a key exchange is performed between a server S and users u:={u₁, u₂, . . . , u_(n)|u_(i) ∈ U}.

The present applied protocol uses a secret key of RSA encryption as a long-term secret key and a MAC key as a shared secret key in an initial shared secret key sharing step and a shared secret key update step. In the present applied protocol, at the time of sharing of a shared secret key, authentication is performed and falsification is detected using a signature of RSA encryption and a key is shared by DH key sharing. It is to be noted that the present invention can use, in addition to a signature of RSA encryption, a commonly used signature technique, such as DSA or ECDSA, which is used to perform authentication and detect falsification; likewise, as for DH key sharing, the present invention can use a commonly used key exchange technique.

In the present embodiment, since the fixed shared secret information scheme is adopted, authentication and prevention of falsification are performed by adding a MAC tag using an initial shared secret key mk_(i) ⁰ in a transmission-reception-time step in a j-th key exchange. However, it is also possible to adopt the fixed shared secret information scheme and perform authentication and prevention of falsification by adding a MAC tag using a MAC key mk_(i) ^(k) which is a previous or earlier shared secret key. Here, k is any one of integers greater than or equal to 0 and less than j, and it is only necessary to set kin advance between a certain device and another device between which a key exchange is performed.

In the existing KY protocol, a MAC key is created at the beginning of Dist and a MAC tag is generated for some communications of Dist. In the present embodiment, since a MAC key is used as a shared secret key, the protocol is configured without a MAC key. In addition thereto, the protocol is configured without a commitment C_(i)=g^(k_i)h^(s_i) to check the identicalness of a user in Round1 and a user in Round2 and a commitment C₁=g^(k_1)h^(s_1) to check whether each user has k_(i) and s_(i) of a representative user (in the present embodiment, a user u₁ is assumed to be a representative user). Here, in subscripts and superscripts, A_B means A_(B) and A∧B means A^(B). Moreover, as a symbol that means choosing an element x of a set S uniformly and randomly from the set S, x ∈ _(R)S is used.

Setup:

1. The key exchange algorithm unit 203 of the key exchange device 200-i which is used by each user u_(i) generates, by using a key generation algorithm Gen of a public key cryptosystem (Gen, Enc, Dec), a secret key sk_(i) and a public key pk_(i) of the public key cryptosystem using k as a security parameter ((sk_(i), pk_(i))←Gen(l^(k))). Furthermore, the key exchange algorithm unit 203 of the key exchange device 200-i generates secret information (st st′₁) consisting of a random bit string using k as a security parameter (st_(i) ∈ _(R)Kspace₇₈, st′₁ ∈ _(R){0, 1}^(k)).

The key exchange algorithm unit 203 stores (sk_(i), st_(i), st′_(i)) in the secret key storage 201 as a long-term secret key SSK_(i) and makes pk_(i) public to the key exchange server device 100 as a long-term public key SPK_(i) using a technique, such as PKI, of associating the public key pk_(i) with a user.

2. The key exchange algorithm unit 103 of the key exchange server device 100 performs generation of a secret key of attribute-based encryption (Params, msk)←Setup(l^(k), att) by using information att, which is used to define attribute information A_(i), using k as a security parameter. The key exchange algorithm unit 103 generates, by using the key generation algorithm Gen of the public key cryptosystem (Gen, Enc, Dec), a secret key sk_(s) and a public key pk_(s) of the public key cryptosystem using k as a security parameter ((sk_(s), pk_(s))←Gen(l^(k))). Furthermore, the key exchange algorithm unit 103 generates secret information (st_(s), st′_(s)) consisting of a random bit string using k as a security parameter (st_(s) ∈ _(R)Kspace₇₈ , St′_(s) ∈ _(R){0, 1}^(k)).

The key exchange algorithm unit 103 stores (msk, sk_(s), st_(s), st′_(s)) in the secret key storage 101 as a long-term secret key SSK_(s), and stores (Params, p, G, g, h, TCR, tPRF, tPRF′, F, F′, F″, F′″, pk_(s)) in an unillustrated storage as a long-term public key SPK_(s) and makes (Params, p, G, g, h, TCR, tPRF, tPRF′, F, F′, F″, F′″, pk_(s)) public to each key exchange device 200-i using a technique, such as PKI, of associating the public key pk_(s) with a user.

Initial Shared Secret Key Sharing Step:

1. The shared secret key sharing unit 206 of each key exchange device 200-i acquires the long-term public key SPK_(s) and creates random numbers a_(i) and g^(a_i) using g contained in the long-term public key SPK_(s). The shared secret key sharing unit 206 fetches the secret key sk_(i) from the secret key storage 201, creates a signature σ_(i) ⁰ using the secret key sk_(i) by a signature algorithm Sig (σ_(i) ⁰←Sig_(sk_i)(g^(a_i))), and passes the signature data to the key exchange algorithm unit 203. The key exchange algorithm unit 203 transmits (g^(a_i), σ_(i) ⁰) to the key exchange server device 100.

2. The shared secret key sharing unit 106 of the key exchange server device 100 receives (g^(a_i), σ_(i) ⁰) via the key exchange algorithm unit 103 and verifies the signature σ_(i) ⁰ using a verification algorithm Ver (1 or ⊥←Ver_(pk_i)(g^(a_i), σ_(i) ⁰)). If the signature σ_(i) ⁰ is not successfully verified (if ⊥ is output), the shared secret key sharing unit 106 stops the key exchange algorithm. If the signature σ_(i) ⁰ is successfully verified (if 1 is output), the shared secret key sharing unit 106 creates random numbers b and g^(b) using g contained in the long-term public key SPK_(s). The shared secret key sharing unit 106 fetches the secret key sk_(s) from the secret key storage 101, creates a signature σ_(s) ⁰ using the secret key sk_(s) by the signature algorithm Sig (σ_(s) ⁰←Sig_(sk_s)(g^(b))), and transmits (g^(b), σ_(s) ^(o)) to each key exchange device 200-i via the key exchange algorithm unit 103. Furthermore, the shared secret key sharing unit 106 creates g^(a_ib) using g^(a_i) received from each key exchange device 200-i and the created random number b and creates mk_(i) ⁰←MGen(g^(ai_b)) using an algorithm MGen that generates a MAC key. The shared secret key sharing unit 106 stores mk_(i) ⁰ (where i=1, 2, . . . , n) in the shared secret key storage 102 as a shared secret key.

3. The shared secret key sharing unit 206 of each key exchange device 200-i receives (g^(b), σ_(s) ⁰) via the key exchange algorithm unit 203 and verifies the signature σ_(s) ⁰ using pk_(s) contained in the long-term public key SPK_(s) and the verification algorithm Ver (1 or ⊥←Ver_(pk_s)(g^(b), σ_(s) ⁰)). If the signature σ_(s) ⁰ is not successfully verified (if ⊥ is output), the shared secret key sharing unit 206 stops the key exchange algorithm. If the signature σ_(s) ⁰ is successfully verified (if 1 is output), the shared secret key sharing unit 206 creates g^(a_ib) using the random number a, generated by the key exchange device 200-i and g^(b) received from the key exchange server device 100 and creates mk_(i) ⁰←MGen(g^(a_ib)) using the algorithm MGen that generates a MAC key. The shared secret key sharing unit 206 stores mk_(i) ⁰ (here, i is one value corresponding to the key exchange device 200-i) in the shared secret key storage 202 as a shared secret key.

By the processing discussed so far, the key exchange server device 100 and the key exchange device 200-i share the shared secret key mk_(i) ⁰.

Dist:

(State Update at New Time Frame)

A key exchange device 200-i that conducts a session for the first time in a specific TF_(ti) performs the following process with the key exchange server device 100.

1 . When receiving a connection request from the key exchange device 200-i, the key exchange algorithm unit 103 of the key exchange server device 100 creates A_(i)=(u_(i), time_(ji)) from a time time_(ji), which corresponds to the current time, in a specific segment and an identifier u_(i) of a user and sets A_(i) as attribute information. It is to be noted that, if a set of times in the specific segment including the time time_(ji) in the specific segment is assumed to be TF_(ji):={time_(ji_1), time_(ji_2), . . . , time_(ji_tn)} ji is a value, of ji_1, ji_2, . . . , ji_tn, corresponding to the current time. The key exchange algorithm unit 103 of the key exchange server device 100 generates an attribute secret key usk_(i) of the user from Params, msk, and A_(i) using an algorithm Der which is an encryption algorithm of attribute-based encryption and generates a key corresponding to attribute information of a user (usk_(i)←Der(Params, msk, A_(i))). Furthermore, the key exchange algorithm unit 103 acquires the public key pk of the key exchange device 200-i, encrypts usk_(i) by an encryption algorithm Enc of the public key cryptosystem using the public key pk_(i) (CT_(i)←Enc_(pk_i)(usk_(i))), and transmits cipher text CT_(i) to the key exchange device 200-i. Here, i=1, 2, . . . , n.

2. Each key exchange device 200-i receives the cipher text CT_(i), fetches the secret key sk_(i) from the secret key storage 201, decrypts the cipher text CT_(i) by a decryption algorithm Dec of the public key cryptosystem (usk_(i)←Dec_(sk_i)(CT_(i))), and stores the attribute secret key usk_(i) in an unillustrated storage state_(i).

(Round1 for Users)

1. The key exchange algorithm unit 203 of each key exchange device 200-i creates r˜_(i) ∈ _(R){0, 1}^(k), r˜′_(i), ∈ _(R)Kspace_(κ), k˜_(i) ∈ _(R){0, 1}^(k), k˜′_(i), ∈ _(R)Kspace_(κ), s˜_(i), ∈ _(R){0, 1}_(κ), and s˜′, ∈ _(R)Kspace_(κ) and stores them in an unillustrated storage ESK_(i). Then, the key exchange algorithm unit 203 generates r_(i)=tPRF(r˜_(i), r˜′_(i), st_(i), st′_(i)), k_(i)=tPRF(k˜_(i), k˜′_(i), st_(i), st′_(i)), and s_(i)=tPRF(s˜_(i), s˜′_(i), st_(i), st′_(i)). Furthermore, the key exchange algorithm unit 203 creates R=g^(r_i) and C_(i)=g^(k_i)h^(s_i).

2. The authentication information addition unit 205 of each key exchange device 200-i fetches the shared secret key mk_(i) ^(j−1) from the shared secret key storage 202 and calculates a signature σ_(i) ¹ from the created R_(i) and C_(i) by a signature algorithm Tag by the following formula.

σ_(i) ¹=Tag_(mk_(i) ^(j−1))(R_(i), C_(i))

The key exchange algorithm unit 203 sends (R_(i), C_(i), σ_(i) ¹) to the key exchange server device 100. Here, the meaning of Tag_(mk_(i) ^(j−1)) is as follows.

Tag_(mk_(i)^(j − 1))

Moreover, in the present embodiment, since the fixed shared secret key scheme is adopted, mk_(i) ^(j−1)=mk_(i) ⁰. It is to be noted that R_(i) and C_(i) are also referred to as key exchange information and the signature σ_(i) ¹ is also referred to as authentication information.

(Round1 for Server)

1. The authentication information verification unit 104 of the key exchange server device 100 acquires (R_(i), C_(i), σ_(i) ¹) from each key exchange device 200-i via the key exchange algorithm unit 103, fetches the shared secret key mk_(i) ^(j−1) from the shared secret key storage 102, and verifies (R_(i), C_(i), σ_(i) ¹) by the verification algorithm Ver by the following formula.

Ver_(mk_(i) ^(j−1))(R_(i), C_(i), σ_(i) ¹)

If (R_(i), C_(i), σ_(i) ¹) is not successfully verified, the authentication information verification unit 104 stops the key exchange algorithm. The authentication information verification unit 104 continues the key exchange algorithm only when (R_(i), C_(i), σ_(i) ¹) is successfully verified. Here, the meaning of Ver_(mk_(i) ^(j−1)) is as follows.

Ver_(mk_(i)^(j − 1))

2. The key exchange algorithm unit 103 of the key exchange server device 100 acquires (R_(i), C_(i), σ_(i) ¹) from each key exchange device 200-i, calculates sid=TCR(C₁, . . . , C_(n)), and selects one representative user. In the present embodiment, the user u_(i) is assumed to be a representative user. The authentication information addition unit 105 calculates σ_(sev_i) ¹=Tag_(mk_(i) ^(j−1))(sid, R_(i−1), R_(i+1)) by the signature algorithm Tag using sid and R₁, . . . , R_(n), sends (sid, R_(i−1), T_(i+1), σ_(sev_i) ¹) to each key exchange device 200-i via the key exchange algorithm unit 103, and informs the representative user that he/she is a representative user.

(Round2 for Users)

1. The authentication information verification unit 204 of the key exchange device 200-i (where i ∈ [1, n]) acquires (sid, R_(i−1), R_(i+1), σ_(sev_i) ¹) from the key exchange server device 100 via the key exchange algorithm unit 203 and verifies (sid, R_(i−1), R_(i+1), σ_(sev_i) ¹) by the verification algorithm Ver by the following formula.

Ver_(mk_(i) ^(j−1))(sid, R_(i−1), R_(i+1), σ_(sev_i) ¹)

If (sid, R_(i−1), R_(i+1), σ_(sev_i) ¹) is not successfully verified, the authentication information verification unit 204 stops the key exchange algorithm. The authentication information verification unit 204 continues the key exchange algorithm only when (sid, R_(i−1), R_(i+1), σ_(sev_i) ¹) is successfully verified. It is to be noted that sid, R_(i−1), and R_(i+1) are also referred to as key exchange information from the outside (the key exchange server device 100) and σ_(sev_i) ¹ is also referred to as authentication information.

2. The key exchange algorithm unit 203 of the key exchange device 200-i (where i ∈ [2, n]) calculates K_(i) ⁽¹⁾=F(sid, R_(i−1) ^(r_i)), K_(i) ^((r))=F(sid, R_(i+1) ^(r_i)), and T_(i)=K_(i) ⁽¹⁾ xor K_(i) ^((r)). The meaning of xor is as follows.

⊕

The authentication information addition unit 205 calculates a signature σ_(i) ² using the signature algorithm Tag (σ_(i) ²=Tag_(mk_(i) ^(j−1))(R_(i), c_(i), R_(i−1), R_(i+1), k_(i), s_(i), T_(i), U_(i), sid)) and transmits (k_(i), s_(i), T_(i), σ_(i) ²) to the key exchange server device 100 via the key exchange algorithm unit 203.

3. The key exchange algorithm unit 203 of the key exchange device 200-i of the user u₁, who is a representative user, calculates K₁ ⁽¹⁾=F(sid, R_(n) ^(r_1)), K₁ ^((r))=F(sid, R₂ ^(r−1)), T₁=K₁ ⁽¹⁾ xor K₁ ^((r)), and T′=K₁ ⁽¹⁾ xor (k₁∥s₁). The authentication information addition unit 205 calculates a signature σ₁ ² using the signature algorithm Tag (σ₁ ²=Tag_(mk₁ ^(j−1))(R₁, c₁, R_(n), R₂, T₁, T′, U₁, sid)) and transmits (T₁, T′, σ₁ ²) to the key exchange server device 100 via the key exchange algorithm unit 203.

(Round2 for Server)

1. The authentication information verification unit 104 of the key exchange server device 100 acquires (k_(i), s_(i), T_(i), σ_(i) ²) from the key exchange device 200-i (where i ∈ [2, n]) via the key exchange algorithm unit 103 and verifies (k_(i), s_(i), T_(i), σ_(i) ²) by the verification algorithm Ver by the following formula.

Ver_(mk_(i) ^(j−1))(R_(i), c_(i), R_(i−1), R₁₊₁, k_(i), s_(i), T_(i), U_(i), sid, σ_(i) ²)

If (k_(i), s_(i), T_(i), σ_(i) ²) is not successfully verified, the authentication information verification unit 104 stops the key exchange algorithm. The authentication information verification unit 104 continues the key exchange algorithm only when (k_(i), s_(i), T_(i), σ_(i) ²) is successfully verified.

2. The authentication information verification unit 104 of the key exchange server device 100 acquires (T_(i), T′, σ₁ ²) from a key exchange device 200-1 of the user u₁, who is a representative user, via the key exchange algorithm unit 103 and verifies (T_(i), T′, σ₁ ²) by the verification algorithm Ver by the following formula.

Ver_(mk₁ ^(j−1))(R₁, c₁, R_(n), R₂, T₁, T′, U₁, sid, σ₁ ²)

If (T₁, T′, σ₁ ²) is not successfully verified, the authentication information verification unit 104 stops the key exchange algorithm. The authentication information verification unit 104 continues the key exchange algorithm only when (T₁, T′, σ₁ ²) is successfully verified.

3. The key exchange algorithm unit 103 of the key exchange server device 100 generates k_(S)˜∈ _(R){0, 1}^(k), k_(S)˜′ ∈ _(R)Kspace_(κ), K₁˜∈ _(R){0, 1}^(k), and K₁˜′∈ _(R)Kspace_(κ) and calculates k_(S)=tPRF(k_(S)˜, k_(S)˜′, st_(s), st′_(s)), K₁=tPRF(K₁˜, K₁˜′, st_(s), st′_(s)), and k′=(xor_(2≤i≤n)k_(i)) xor k_(s).

4. The key exchange algorithm unit 103 of the key exchange server device 100 calculates T_(i)′=(xor_(i≤j≤i−1) T_(j)) for the key exchange device 200-i (where i ∈ [2, n]).

5. The key exchange algorithm unit 103 of the key exchange server device 100 calculates P_(i):=(ID=U_(i))∧(time ∈ TF) and CT_(i)′=AEnc(Params, P_(i), K₁) for the key exchange device 200-i (where i ∈ [1, n]). It is to be noted that AEnc is an encryption algorithm of attribute-based encryption.

6. The authentication information addition unit 105 of the key exchange server device 100 calculates a signature σ_(i) ² for the key exchange device 200-i (where i ∈ [2, n]) using the signature algorithm Tag by the following formula.

σ_(i) ²=Tag_(mk₁ ^(j−1))(R_(i), c_(i), R_(i−1), R_(i+1), k_(i), s_(i), T_(i), sid, c₁, k′, T_(i)′, T′, CT_(i)′)

Next, the authentication information addition unit 105 transmits (c₁, k′, T′_(i), T′, CT_(i)′, σ_(i) ²) to the key exchange device 200-i (where i ∈ [2, n]) via the key exchange algorithm unit 103.

7. The authentication information addition unit 105 of the key exchange server device 100 calculates a signature σ₁ ² for the key exchange device 200-1 of the user u₁, who is a representative user, using the signature algorithm Tag by the following formula.

σ₁ ²=Tag_(mk_(i) ^(j−1))(R₁, c₁, R_(n), R₂, T₁, T′, U₁, sid, k′, CT′₁)

Next, the authentication information addition unit 105 transmits (k′, CT₁′, σ₁ ²) to the key exchange device 200-1 via the key exchange algorithm unit 103.

(Session Key Generation and Post Computation)

1. The authentication information verification unit 204 of the key exchange device 200-i (where i ∈ [2, n]) acquires (c₁, k′, sid, T′_(i), T′, CT_(i)′, σ₁ ²) from the key exchange server device 100 via the key exchange algorithm unit 203 and verifies (c₁, k′, sid, T′_(i), T′, CT_(i)′, σ_(i) ²) by the verification algorithm Ver by the following formula.

Ver_(mk_(i) ^(j−1))(R_(i), c_(i), R_(i−1), R_(i+1), k_(i), s_(i), T_(i), U_(i), sid, c₁, k′, T_(i)′, T′, CT_(i)′, σ₁ ²)

If (c₁, k′, sid, T′_(i), T′, CT_(i)′, σ₁ ²) is not successfully verified, the authentication information verification unit 204 stops the key exchange algorithm. The authentication information verification unit 204 continues the key exchange algorithm only when (c₁, k′, sid, T′_(i), T′, CT_(i)′, σ_(i) ²) is successfully verified.

2. The key exchange algorithm unit 203 of the key exchange device 200-i calculates K₁ ⁽¹⁾=T′_(i) xor K_(i) ⁽¹⁾ and k₁∥s₁=T′ xor K₁ ⁽¹⁾ and decrypts cipher text CT′_(i) by a decryption algorithm ADec of attribute-based encryption by the following formula.

K₁←ADec_(usk_i)(CT′_(i), P_(i))

Furthermore, the key exchange algorithm unit 203 calculates K₂=F′(sid, k′ xor k₁) and obtains a session key SK by SK=F″(sid, K₁) xor F″(sid, K₂).

3. The key exchange algorithm unit 203 of the key exchange device 200-i (where i ∈ [2, n]) stores sid, H_(i) ⁽¹⁾=R_(i−1) ^(r_i), H_(i) ^((r))=R_(i+1) ^(r_i) and r=F′″(sid, K₁) xor F′″(sid, K₂) in an unillustrated storage state;.

4. The authentication information verification unit 204 of the key exchange device 200-1 of the user u₁, who is a representative user, acquires (k′, CT₁′, σ₁ ²) from the key exchange server device 100 via the key exchange algorithm unit 203 and verifies (k′, CT₁′, σ₁ ²) by the verification algorithm Ver by the following formula.

Ver_(mk₁ ^(j−1))(R₁, c₁, R_(n), R₂, T₁, T′, U₁, sid, k′, CT′₁, σ₁ ²)

If (k′, CT₁′, σ₁ ²) is not successfully verified, the authentication information verification unit 204 stops the key exchange algorithm. The authentication information verification unit 204 continues the key exchange algorithm only when (k′, CT₁′, σ₁ ²) is successfully verified.

5. The key exchange algorithm unit 203 of the key exchange device 200-1 decrypts cipher text CT′₁ by the decryption algorithm ADec of attribute-based encryption by the following formula.

K₁←ADec_(usk_1)(CT′₁, P₁)

Furthermore, the key exchange algorithm unit 203 calculates K₂=F′(sid, k′ xor k₁) and obtains a session key SK by SK=F″(sid, K₁) xor F″(sid, K₂).

6. The key exchange algorithm unit 203 of the key exchange device 200-1 stores sid, H₁ ⁽¹⁾=R_(n) ^(r_i), H₁ ^((r))=R₂ ^(r_i), and r=F′″(sid, K₁) xor F′″(sid, K₂) in an unillustrated storage state₁.

<Effects>

The above configuration makes it possible for the key exchange devices to share a session key SK between the key exchange devices while concealing the session key SK from the key exchange server device and, by performing authentication using two types of information, shared secret information=a MAC key and a long-term secret key, prevent the session key from being inferred after the long-term key is leaked. Even if information on a long-term secret key of a server or user is leaked, it is possible to prevent an attacker from making a session key exchange unless a shared secret key is leaked.

For example, the shared secret information can be stored in a tamper-resistant area (such as an HSM of a server or a SIM of a smartphone) and used. By using information, such as a MAC key, whose key size is small and calculation costs are low as the shared secret information, it is possible to make effective use of a limited tamper-resistant area.

<Modifications>

In the present embodiment, a case where a key exchange is performed between a key exchange device and a key exchange server device, that is, a key exchange between a key exchange device and a key exchange server device has been described; the present invention may be applied to a key exchange between key exchange devices. It is only necessary to adopt a configuration in which a certain key exchange device functions as a key exchange device of the present embodiment and another key exchange device functions as a key exchange server device of the present embodiment.

<Point of a Second Embodiment>

A difference from the first embodiment will be mainly described.

In the present embodiment, the shared secret key of the above-described first embodiment is changed from a MAC key (mk_(i) ^(j−1)) to a key of AES (key_(i) ^(j−1)), information which is added to each communication is transmitted as cipher text c′_(i) by AES, not a signature σ_(i), and the key exchange algorithm is stopped if the cipher text c′_(i) is not successfully decrypted.

Second Embodiment Setup:

1. The key exchange algorithm unit 203 of the key exchange device 200-i which is used by each user u, generates, by using a key generation algorithm Gen of a public key cryptosystem (Gen, Enc, Dec), a secret key sk_(i) and a public key pk_(i) of the public key cryptosystem using k as a security parameter ((sk_(i), pk_(i))←Gen(1^(k))). Furthermore, the key exchange algorithm unit 203 of the key exchange device 200-i generates secret information (st₁, st′₁) consisting of a random bit string using k as a security parameter (st_(i) ∈ _(R)Kspace_(κ), st′_(i) ∈ _(R){0, 1 }^(k)).

The key exchange algorithm unit 203 stores (sk_(i), st_(i), st′_(i)) in the secret key storage 201 as a long-term secret key SSK_(i) and makes pk_(i) public to the key exchange server device 100 as a long-term public key SPK_(i) using a technique, such as PKI, of associating the public key pk_(i) with a user.

2. The key exchange algorithm unit 103 of the key exchange server device 100 performs generation of a secret key of attribute-based encryption (Params, msk)←Setup(1^(k), att) by using information att, which to is used to define attribute information A_(i), using k as a security parameter. The key exchange algorithm unit 103 generates, by using the key generation algorithm Gen of the public key cryptosystem (Gen, Enc, Dec), a secret key sk_(s) and a public key pk_(s) of the public key cryptosystem using k as a security parameter ((sk_(s), pk_(s))←Gen(1^(k))). Furthermore, the key exchange algorithm unit 103 generates secret information (st_(s), st′_(s)) consisting of a random bit string using k as a security parameter (st_(s) ∈ _(R)Kspace_(κ), st′_(s) ∈ _(R){0, 1 }^(k)).

The key exchange algorithm unit 103 stores (msk, sk_(s), st_(s), st′_(s)) in the secret key storage 101 as a long-term secret key SSK_(s), and stores (Params, p, G, g, h, TCR, tPRF, tPRF′, F, F′, F″, F′″, pk_(s)) in an unillustrated storage as a long-term public key SPK_(s) and makes (Params, p, G, g, h, TCR, tPRF, tPRF′, F, F′, F″, F′″, pk_(s)) public to each key exchange device 200-i using a technique, such as PKI, of associating the public key pk_(s) with a user.

Initial Shared Secret Key Sharing Step:

1. The shared secret key sharing unit 206 of each key exchange device 200-i acquires the long-term public key SPK_(s) and creates random numbers a, and g^(a_i) using g contained in the long-term public key SPK_(s). The shared secret key sharing unit 206 fetches the secret key sk_(i) from the secret key storage 201, creates a signature σ_(i) ⁰ using the secret key sk_(i) by a signature algorithm Sig (σ_(i) ⁰←Sig_(sk_i)(g ^(a_i))), and transmits (g^(a_i), σ_(i) ⁰) to the key exchange server device 100 via the key exchange algorithm unit 203.

2. The shared secret key sharing unit 106 of the key exchange server device 100 receives (g^(a_i), σ_(i) ⁰) via the key exchange algorithm unit 103 and verifies the signature σ_(i) ⁰ using a verification algorithm Ver (1 or ∧←Ver_(pk_i)(g^(a_i), σ_(i) ⁰)). If the signature σ_(i) ⁰ is not successfully verified (if ∧ is output), the shared secret key sharing unit 106 stops the key exchange algorithm. If the signature σ_(i) ⁰ is successfully verified (if 1 is output), the shared secret key sharing unit 106 creates random numbers b and g^(b) using g contained in the long-term public key SPK_(s). The shared secret key sharing unit 106 fetches the secret key sk_(s) from the secret key storage 101, creates a signature σ_(s) using the secret key sk_(s) by the signature algorithm Sig (σ_(s)←Sig_(sk_s)(g^(b))), and transmits (g^(b), σ_(s)) to each key exchange device 200-i via the key exchange algorithm unit 103. Furthermore, the shared secret key sharing unit 106 creates g^(a_ib) using g^(a_i) received from each key exchange device 200-i and the created random number b and creates key_(i) ⁰←KeyGen(g^(a_ib)) using an algorithm KeyGen that generates an AES key. The shared secret key sharing unit 106 stores key_(i) ⁰ (where i=1, 2, . . . , n) in the shared secret key storage 102 as a shared secret key.

3. The shared secret key sharing unit 206 of each key exchange device 200-i receives (g^(b), σ_(s) ⁰) and verifies the signature σ_(s) ⁰ using pk_(s) contained in the long-term public key SPK, and the verification algorithm Ver (1 or ∧←Ver_(pk_s)(g^(b), σ_(s) ⁰). If the signature σ_(s) ⁰ is not successfully verified (if ∧ is output), the shared secret key sharing unit 206 stops the key exchange algorithm. If the signature σ_(s) ⁰ is successfully verified (if 1 is output), the shared secret key sharing unit 206 creates g^(a_ib) using the random number a_(i) generated by the key exchange device 200-i and g^(b) received from the key exchange server device 100 and creates key_(i) ⁰←KeyGen(g^(a_ib)) using the algorithm KeyGen that generates a key of AES. The shared secret key sharing unit 206 stores key_(i) ⁰ (here, i is one value corresponding to the key exchange device 200-i) in the shared secret key storage 202 as a shared secret key.

By the processing discussed so far, the key exchange server device 100 and the key exchange device 200-i share the shared secret key key_(i) ⁰.

Dist:

(State Update at New Time Frame)

A key exchange device 200-i that conducts a session for the first time in a specific TF_(ti) performs the following process with the key exchange server device 100.

1. When receiving a connection request from the key exchange device 200-i, the key exchange algorithm unit 103 of the key exchange server device 100 creates A_(i)=(u_(i), time_(ji)) from a time time_(ji), which corresponds to the current time, in a specific segment and an identifier u_(i) of a user and sets A_(i) as attribute information. It is to be noted that, if a set of times in the specific segment including the time time_(ji) in the specific segment is assumed to be TF_(ji):={time_(ji_1), time _(ji_2), . . . , time_(ji_tn)}, ji is a value, of ji_1, ji_2, . . . , ji_tn, corresponding to the current time. The key exchange algorithm unit 103 of the key exchange server device 100 generates an attribute secret key usk, of the user from Params, msk, and A_(i) using an algorithm Der which is an encryption algorithm of attribute-based encryption and generates a key corresponding to attribute information of a user (usk_(i)←Der(Params, msk, A_(i))). Furthermore, the key exchange algorithm unit 103 acquires the public key pk_(i) of the key exchange device 200-i, encrypts usk_(i) by an encryption algorithm Enc of the public key cryptosystem using the public key pk_(i) (CT_(i)←Enc_(pk_i)(usk_(i))), and transmits cipher text CT_(i) to the key exchange device 200-i. Here, i=1, 2, . . . , n.

2. Each key exchange device 200-i receives the cipher text CT_(i), fetches the secret key sk_(i) from the secret key storage 201, decrypts the cipher text CT_(i) by a decryption algorithm Dec of the public key cryptosystem (usk_(i)←Dec_(sk_i)(CT_(i))), and stores the attribute secret key usk_(i) in an unillustrated storage state_(i).

(Round1 for Users)

1. The key exchange algorithm unit 203 of each key exchange device 200-i creates r˜_(i) ∈ _(R){0, 1}^(k), r˜′_(i) ∈ _(R)Kspace_(κ), k˜_(i) ∈ _(R){0, 1}^(k), k˜′_(i) ∈ _(R)Kspace_(κ), s˜_(i) ∈ _(R){0, 1}^(k), and s˜′_(i) ∈ _(R)Kspace_(κ) and stores them in an unillustrated storage ESK_(i). Then, the authentication information addition unit 205 generates r_(i)=tPRF(r˜_(i), r˜′_(i), st_(i), st′_(i)), k_(i)=tPRF(k˜_(i), k˜′_(i), st_(i), st′_(i)), and s_(i)=tPRF(s˜_(i), s˜′_(i), st_(i), st′_(i)). Furthermore, the authentication information addition unit 205 creates R_(i)=g^(r_i) and C_(i)=g^(k_i)h^(s_i).

2. The authentication information addition unit 205 of each key exchange device 200-i fetches the shared secret key key_(i) ^(j−1) from the shared secret key storage 202 and calculates cipher text c_(i) ¹ from the created R_(i) and C_(i) by the encryption algorithm Enc of the public key cryptosystem by the following formula.

c_(i) ¹=Enc_(key_(i) ^(j−1))(R_(i), C_(i))

The authentication information addition unit 205 sends (R_(i), C_(i), c_(i) ¹) to the key exchange server device 100 via the key exchange algorithm unit 203. Here, the meaning of Enc_(key_(i) ^(j−1)) is as follows.

Enc_(key_(i)^(j − 1))

Moreover, in the present embodiment, since the fixed shared secret key scheme is adopted, key_(i) ^(j−1)=key_(i) ⁰.

(Round1 for Server)

1. The authentication information verification unit 104 of the key exchange server device 100 acquires (R_(i), C_(i), c_(i) ¹) from each key exchange device 200-i via the key exchange algorithm unit 103, fetches the shared secret key key_(i) ^(j−1) from the shared secret key storage 102, calculates Enc_(key_(i) ^(j−1))(R_(i), C_(i)) by the encryption algorithm Enc of the public key cryptosystem, and verifies whether the calculation result is equal to c_(i) ¹. If it is not successfully verified that the calculation result is equal to c_(i) ¹, the authentication information verification unit 104 stops the key exchange algorithm. The authentication information verification unit 104 continues the key exchange algorithm only when it is successfully verified that the calculation result is equal to c_(i) ¹.

2. The key exchange algorithm unit 103 of the key exchange server device 100 acquires (R_(i), C_(i), c_(i) ¹) from each key exchange device 200-i, calculates sid=TCR(C₁, . . . , C_(n)), and selects one representative user. In the present embodiment, a user u₁ is assumed to be a representative user. The authentication information addition unit 105 calculates c_(sev_i) ¹=Enc_(key_(i) ^(j−1))(sid, R_(i−1), R_(i+i)) by the encryption algorithm Enc of the public key cryptosystem using sid and R₁, . . . , R_(n) and sends (sid, R_(i−1), R_(i+1), c_(sev_i) ¹) to each key exchange device 200-i via the key exchange algorithm unit 103. In so doing, the key exchange algorithm unit 103 informs the representative user that he/she is a representative user.

(Round2 for Users)

1 . The authentication information verification unit 204 of the key exchange device 200-i (where i ∈ [1, n]) acquires (sid, R_(i−1), R_(i+1), c_(sev_i) ¹) from the key exchange server device 100 via the key exchange algorithm unit 203, calculates Enc_(key_(i) ^(j−1))(sid, R_(i−1), R_(i+1)) by the encryption algorithm Enc of the public key cryptosystem, and verifies whether the calculation result is equal to c_(sev_i) ¹.

If it is not successfully verified that the calculation result is equal to c_(sev_i) ¹, the authentication information verification unit 204 stops the key exchange algorithm. The authentication information verification unit 204 continues the key exchange algorithm only when it is successfully verified that the calculation result is equal to c_(sev_i) ¹.

2. The key exchange algorithm unit 203 of the key exchange device 200-i (where i ∈ [2, n]) calculates K_(i) ⁽¹⁾=F(sid, R_(i−1) ^(r_i)), K_(i) ^((r))=F(sid, R_(i+1) ^(r_i)), and T_(i)=K_(i) ⁽¹⁾ xor K_(i) ^((r)), calculates c_(i) ²=Enc_(key_(i) ^(j−1))(R_(i), c_(i), R_(i−1), R_(i+1), k_(i), s_(i), T_(i), U_(i), sid) using the encryption algorithm Enc of the public key cryptosystem, and transmits (k_(i), s_(i), T_(i), c_(i) ²) to the key exchange server device 100 via the key exchange algorithm unit 203.

3. The key exchange algorithm unit 203 of the key exchange device 200-i of the user u₁, who is a representative user, calculates K₁ ⁽¹⁾=F(sid, R_(n) ^(r_1)), K₁ ⁽¹⁾=F(sid, R₂ ^(r_1)), T₁=K₁ ⁽¹⁾ xor K₁ ^((r)), and T′=K₁ ⁽¹⁾ xor (k₁∥s₁), calculates c₁ ²=Enc_(key₁ ^(j−1))(R₁, c₁, R_(n), R₂, T₁, T′, U₁, sid) using the encryption algorithm Enc of the public key cryptosystem, and transmits (T₁, T′, c₁ ²) to the key exchange server device 100 via the key exchange algorithm unit 203.

(Round2 for Server)

1. The authentication information verification unit 104 of the key exchange server device 100 acquires (k_(i), s_(i), T_(i), c_(i) ²) from the key exchange device 200-i (where i ∈ [2, n]) via the key exchange algorithm unit 103, calculates Enc_(key_(i) ^(j−1))(R_(i), c_(i), R_(i−1), R_(i+1), k_(i), s_(i), T_(i), U_(i), sid) by the encryption algorithm Enc of the public key cryptosystem, and verifies whether the calculation result is equal to c_(i) ². If it is not successfully verified that the calculation result is equal to c_(i) ², the authentication information verification unit 104 stops the key exchange algorithm. The authentication information verification unit 104 continues the key exchange algorithm only when it is successfully verified that the calculation result is equal to c_(i) ².

2. The authentication information verification unit 104 of the key exchange server device 100 acquires (T₁, T^(′), c₁ ²) from a key exchange device 200-1 of the user u₁, who is a representative user, via the key exchange algorithm unit 103, calculates Enc_(key₁ ^(j−1))(R₁, c₁, R_(n), R₂, T₁, T′, U₁, sid) by the encryption algorithm Enc of the public key crypto system, and verifies whether the calculation result is equal to c₁ ². If it is not successfully verified that the calculation result is equal to c₁ ², the authentication information verification unit 104 stops the key exchange algorithm. The authentication information verification unit 104 continues the key exchange algorithm only when it is successfully verified that the calculation result is equal to c₁ ².

3. The key exchange algorithm unit 103 of the key exchange server device 100 generates k_(s)˜ ∈ _(R){0, 1}^(k), k_(s)˜′ ∈ _(R)Kspace_(κ), K₁˜ ∈ _(R){0, 1 }^(k), and K₁˜′ ∈ _(R)Kspace_(κ) and calculates k_(S)=tPRF(k_(S)˜, k_(S)˜′, st_(s), st′_(s)), K₁=tPRF(K₁˜, K₁˜′, st_(s), st′_(s)), and k′=(xor_(2≤i≤n) k_(i)) xor k_(s).

4. The key exchange algorithm unit 103 of the key exchange server device 100 calculates T_(i)′=(xor_(i≤j≤i−1) T_(j)) for the key exchange device 200-i (where i ∈ [2, n]).

5. The key exchange algorithm unit 103 of the key exchange server device 100 calculates P_(i):=(ID=U_(i))∧(time ∈ TF) and CT_(i)′=AEnc(Params, P_(i), K₁) for the key exchange device 200-i (where i ∈ [1, n]).

6. The authentication information addition unit 105 of the key exchange server device 100 calculates c_(sev_i) ²=Enc_(key_(i) ^(j−1))(R_(i), c_(i), R_(i−1), R_(i+1), k_(i), s_(i), T_(i), U_(i), sid, c₁, k′, T_(i)′, T′, CT_(i)′) for the key exchange device 200-i (where i ∈ [2, n]) by the encryption algorithm Enc of the public key cryptosystem and transmits (c₁, k′, T′_(i), T′, CT_(i)′, c_(sev_i) ²) to the key exchange device 200-i (where i ∈ [2, n]) via the key exchange algorithm unit 103.

7. The authentication information addition unit 105 of the key exchange server device 100 calculates c_(sev_1) ²=Enc_(key_(i) ^(j−1))(R₁, c₁, R_(n), R₂, T₁, T′, U₁, sid, k′, CT′₁) for the key exchange device 200-1 of the user u₁, who is a representative user, by the encryption algorithm Enc of the public key cryptosystem and transmits (k′, CT₁′, c_(sev_1) ²) to the key exchange device 200-1 via the key exchange algorithm unit 103.

(Session Key Generation and Post Computation)

1. The authentication information verification unit 204 of the key exchange device 200-i (where i ∈ [2, n]) acquires (c₁, k′, sid, T′_(i), T′, CT_(i)′, c_(sev_i) ²) from the key exchange server device 100 via the key exchange algorithm unit 203, calculates Enc_(key_(i) ^(j−1))(R_(i), c_(i), R_(i−1), k_(i), s_(i), T_(i), U_(i), sid, c₁, k′, T_(i)′, T′, CT_(i)′) by the encryption algorithm Enc of the public key cryptosystem, and verifies whether the calculation result is equal to c_(sev_i) ². If it is not successfully verified that the calculation result is equal to c_(sev_i) ², the authentication information verification unit 204 stops the key exchange algorithm. The authentication information verification unit 204 continues the key exchange algorithm only when it is successfully verified that the calculation result is equal to c_(sev 1) ².

2. The key exchange algorithm unit 203 of the key exchange device 200-i calculates K₁ ⁽¹⁾=T′_(i) xor K₁ ⁽¹⁾ and k₁μs₁=T′ xor K_(1hu (1)) and decrypts the cipher text CT′_(i) by a decryption algorithm ADec of attribute-based encryption by the following formula.

K₁←ADec_(usk_i)(CT′_(i), P_(i))

Furthermore, the key exchange algorithm unit 203 calculates K₂=F′(sid, k′ xor k₁) and obtains a session key SK by SK=F″(sid, K₁) xor F″(sid, K₂).

3. The key exchange algorithm unit 203 of the key exchange device 200-i (where i ∈ [2, n]) stores sid, H_(i) ⁽¹⁾=R_(i−1) ^(r_i), H_(i) ^((r))=R_(i+1) ^(r_i), and r=F′″(sid, K₁) xor F′″(sid, K₂) in an unillustrated storage state_(i).

4. The authentication information verification unit 204 of the key exchange device 200-1 of the user u₁, who is a representative user, acquires (k′, CT₁′, c_(sev_1) ²) from the key exchange server device 100 via the key exchange algorithm unit 203, calculates Enc_(key₁ ^(j−1))(R₁, c₁, R_(n), R₂, T₁, T′, U₁, sid, k′, CT′₁) by the encryption algorithm Enc of the public key cryptosystem, and verifies whether the calculation result is equal to c_(sev_1) ². If it is not successfully verified that the calculation result is equal to c_(sev1_) ², the authentication information verification unit 204 stops the key exchange algorithm. The authentication information verification unit 204 continues the key exchange algorithm only when it is successfully verified that the calculation result is equal to c_(sev_1) ².

5. The key exchange algorithm unit 203 of the key exchange device 200-1 decrypts the cipher text CT′₁ by the decryption algorithm ADec of attribute-based encryption by the following formula.

K₁←ADec_(usk_1)(CT′₁, P₁)

Furthermore, the key exchange algorithm unit 203 calculates K₂=F′(sid, k′ xor k₁) and obtains a session key SK by SK=F″(sid, K₁) xor F″(sid, K₂).

6. The key exchange algorithm unit 203 of the key exchange device 200-1 stores sid, H₁ ⁽¹⁾=R_(n) ^(r_i), H₁ ^((r))=R₂ ^(r_i), and r=F′″(sid, K₁) xor F′″(sid, K₂) in an unillustrated storage state_(i).

<Effects>

By adopting this configuration, it is possible to obtain the same effects as those of the first embodiment.

<Point of a Third Embodiment>

A difference from the first embodiment will be mainly described.

In a third embodiment, a shared secret key update scheme is adopted. In the shared secret key update scheme, in addition to the steps of the fixed shared secret key scheme, the following step is inserted before sharing of a session key in the key exchange algorithm.

Shared secret key update step:

Before a j-th session key exchange is performed, a key exchange device 200-i and another key exchange device 200-m between which a key exchange is performed perform key sharing therebetween using long-term secret keys SSKs of their own and a shared secret key key_(i) ^(k) in a key exchange performed prior to the j-th key exchange (that is, k<j) and share a shared secret key key_(i) ^(j) in the j-th key exchange. In a communication which is performed when this sharing is performed, the key exchange device 200-i and the other key exchange device 200-m between which a key exchange is performed share the shared secret key key_(i) ^(j) while adding information for preventing spoofing and falsification using the long-term secret keys SSKs of their own and the shared secret key key_(i) ^(k) in a key exchange performed prior to the j-th key exchange (that is, k<j). After sharing the shared secret key key_(i) ^(j), the key exchange device 200-i and the other key exchange device 200-m between which a key exchange is performed store the new shared secret key key_(i) ^(j).

Third Embodiment

The first embodiment and the third embodiment differ in the processing details in Setup, the initial shared secret key sharing step, (Round2 for Users), (Round2 for Server), and (Session Key Generation and Post Computation). Differences will be mainly described.

Setup:

In the third embodiment, an embodiment in which attribute-based encryption is not used is described. It is to be noted that all the embodiments in the present specification can be configured with or without attribute-based encryption.

1. The key exchange algorithm unit 203 of the key exchange device 200-i which is used by each user u_(i) generates, by using a key generation algorithm Gen of a public key cryptosystem (Gen, Enc, Dec), a secret key sk_(i) and a public key pk_(i) of the public key cryptosystem using k as a security parameter ((sk_(i), pk_(i))←Gen(1^(k))). Furthermore, the key exchange algorithm unit 203 of the key exchange device 200-i generates secret information (st_(i), st′_(i)) consisting of a random bit string using k as a security parameter (st_(i) ∈ _(R)Kspace_(κ), st′_(i) ∈_(R){0, 1 }^(k)).

The key exchange algorithm unit 203 stores (sk_(i), st_(i), st′_(i)) in the secret key storage 201 as a long-term secret key SSK_(i) and makes pk_(i) public to the key exchange server device 100 as a long-term public key SPK_(i) using a technique, such as PKI, of associating the public key pk_(i) with a user.

2. The key exchange algorithm unit 103 of the key exchange server device 100 generates, by using the key generation algorithm Gen of the public key cryptosystem (Gen, Enc, Dec), a secret key sk_(s) and a public key pk_(s) of the public key cryptosystem using k as a security parameter ((sk_(s), pk_(s))←Gen(1^(k))). Furthermore, the key exchange algorithm unit 103 generates secret information (st_(s), st′_(s)) consisting of a random bit string using k as a security parameter (st_(s) ∈ _(R)Kspace_(κ), st′_(s) ∈ _(R){0, 1}^(k)).

The key exchange algorithm unit 103 stores (sk_(s), st_(s), st′_(s)) in the secret key storage 101 as a long-term secret key SSK_(s), and stores (p, G, g, h, TCR, tPRF, tPRF′, F, F′, F″, F′″, pk_(s)) in an unillustrated storage as a long-term public key SPK_(s) and makes (p, G, g, h, TCR, tPRF, tPRF′, F, F′, F″, F′″, pk_(s)) public to each key exchange device 200-i using a technique, such as PKI, of associating the public key pk_(s) with a user.

Initial Shared Secret Key Sharing Step:

1. The shared secret key sharing unit 206 of each key exchange device 200-i acquires the long-term public key SPK_(s), obtains a˜_(i) by a˜_(i) ∈ _(R){0, 1}^(k), a˜_(i) ′∈ _(R)Kspace_(κ), and a_(i)=tPRF(a˜_(i), a˜_(i)′, st_(i), st′_(i)) using tPRF contained in the long-term public key SPK_(s), stores (a˜_(i), a˜_(i)′) in an unillustrated storage ESK_(i), and creates g^(a_i). The shared secret key sharing unit 206 fetches the secret key sk_(i) from the secret key storage 201, creates a signature σ_(i) ⁰ using the secret key sk_(i) by a signature algorithm Sig (σ_(i) ⁰←Sig_(sk_i)(g^(a_i))), and transmits (g^(a_i), σ_(i) ⁰ to the key exchange server device 100 via the key exchange algorithm unit 203.

2. The shared secret key sharing unit 106 of the key exchange server device 100 receives (g^(a_i), σ_(i) ⁰) and verifies the signature σ_(i) ⁰ using a verification algorithm Ver (1 or ∧←Ver_(pk_i)(g^(a_i), σ_(i) ⁰)). If the signature σ_(i) ⁰ is not successfully verified (if ∧ is output), the shared secret key sharing unit 106 stops the key exchange algorithm. If the signature σ_(i) ⁰ is successfully verified (if 1 is output), the shared secret key sharing unit 106 continues the key exchange algorithm.

The shared secret key sharing unit 106 obtains b_(i) for each key exchange device 200-i by b˜_(i) ∈ _(R){0, 1}^(k), b˜_(i)′ ∈ _(R)Kspace_(κ), and b_(i)=tPRF(b˜_(i), b˜_(i)′, st_(s), st′_(s)) using tPRF, stores (b˜_(i), b˜_(i)′) in an unillustrated storage ESK_(s), and creates g^(b_i).

The shared secret key sharing unit 106 fetches the secret key sk_(s) from the secret key storage 101, creates a signature σ_(s) ⁰ using the secret key sk_(s) by the signature algorithm Sig (σ_(s) ⁰←Sig_(sk_s)(g^(b_i))), and transmits (g^(b_i), σ_(s) ⁰) to each key exchange device 200-i via the key exchange algorithm unit 103. Furthermore, the shared secret key sharing unit 106 creates g^(a_ib_i) using g^(a_i) received from each key exchange device 200-i and the created random number b_(i) and creates mk_(i) ⁰←MGen(g^(a ib i)) using an algorithm MGen that generates a MAC key. The shared secret key sharing unit 106 stores mk_(i) ⁰ (where i=1, 2, . . . , n) in the shared secret key storage 102 as a shared secret key.

3. The shared secret key sharing unit 206 of each key exchange device 200-i receives (g^(b_i), σ⁰) and verifies the signature σ_(s) ⁰ using pk_(s) contained in the long-term public key SPK, and the verification algorithm Ver (1 or ∧←Ver_(pk_s)(g_(b_i), σ_(i) ⁰)). If the signature σ_(s) ⁰ is not successfully verified (if ∧ is output), the shared secret key sharing unit 206 stops the key exchange algorithm. If the signature σ_(s) ⁰ is successfully verified (if 1 is output), the shared secret key sharing unit 206 creates g^(a_ib_i) using a_(i) generated by the key exchange device 200-i and g^(b_i) received from the key exchange server device 100 and creates mk_(i) ⁰←MGen(g^(a_ib_i)) using the algorithm MGen that generates a MAC key. The shared secret key sharing unit 206 stores mk_(i) ⁰ (here, i is one value corresponding to the key exchange device 200-i) in the shared secret key storage 202 as a shared secret key.

By the processing discussed so far, the key exchange server device 100 and the key exchange device 200-i share the shared secret key mk_(i) ⁰.

(Round2 for Users)

1. The authentication information verification unit 204 of the key exchange device 200-i (where i ∈ [1, n]) acquires (sid, R_(i−1), R_(i+1), σ_(sev_i) ¹) from the key exchange server device 100 via the key exchange algorithm unit 203 and verifies (sid, R_(i−1), R_(i+1), σ_(sev_i) ¹) by the verification algorithm Ver by the following formula.

Ver_(mk_(i) ^(j−1))(sid, R_(i−1), R_(i+1), σ_(sev_i) ¹)

If (sid, R_(i−1), R_(i+1), σ_(sev_i) ¹) is not successfully verified, the authentication information verification unit 204 stops the key exchange algorithm. The authentication information verification unit 204 continues the key exchange algorithm only when (sid, R_(i−1), R_(i+1), σ_(sev_i) ¹) is successfully verified.

2. The key exchange algorithm unit 203 of the key exchange device 200-i (where i ∈ [2, n]) calculates K_(i) ⁽¹⁾=F(sid, R_(i−1) ^(r_i)), K_(i) ^((r))=F(sid, R_(i+1) ^(r_i)), and T_(i)=K_(i) ⁽¹⁾xor K_(i) ⁽¹⁾. Furthermore, the shared secret key sharing unit 206 obtains d_(i) by d˜_(i) ∈ _(R){0, 1}^(k), d˜_(i)′ ∈ _(R)Kspace_(κ), and d_(i)=tPRF(d˜_(i), d˜_(i)′, st_(i), st′_(i)), stores (d˜_(i), d˜_(i)′) in the unillustrated storage ESK_(i), and creates g^(d_1). The shared secret key sharing unit 206 calculates a signature σ_(i) ² using a signature algorithm Tag (σ₁ ²=Tag_(mk_(i) ^(j−1))(R_(i), c_(i), R_(i−1), R_(i+1), k_(i), s_(i), T_(i), U_(i), sid, g^(d_i))) and transmits (k_(i), s_(i), T_(i), g^(d_i), σ_(i) ²) to the key exchange server device 100 via the key exchange algorithm unit 203.

3. The key exchange algorithm unit 203 of a user u₁, who is a representative user, calculates K₁ ⁽¹⁾=F(sid, R_(n) ^(r_i)), K₁ ^((r))=F(sid, R₂ ^(r_i)), T₁=K₁ ⁽¹⁾ xor K₁ ^((r)), and T′=K₁ ⁽¹⁾ xor (k₁∥s₁). Furthermore, the shared secret key sharing unit 206 obtains d₁ by d˜₁ ∈ _(R){0, 1}^(k), d˜₁′ ∈ Kspace_(κ), and d₁=tPRF(d˜₁, d˜₁′, st₁, st′₁), stores (d˜₁, d˜₁′) in an unillustrated storage ESK₁, and creates g^(d_1). The shared secret key sharing unit 206 calculates a signature σ_(i) ² using the signature algorithm Tag (σ_(i) ²=Tag_(mk₁ ^(j−1))(R₁, c₁, R_(n), R₂, T₁, T′, U₁, sid, g^(d_1))) and transmits (T_(i), T′, g^(d_1), σ_(i) ²) to the key exchange server device 100 via the key exchange algorithm unit 203.

(Round2 for Server)

1 . The authentication information verification unit 104 of the key exchange server device 100 acquires (k_(i), s_(i), T_(i), g^(d_i), σ_(i) ²) from the key exchange device 200-i (where i ∈ [2, n]) via the key exchange algorithm unit 103 and verifies (k_(i), s_(i), T_(i), g^(d_i), σ_(i) ²) by the verification algorithm Ver by the following formula.

Ver_(mk_(i) ^(j−1))(R_(i), c_(i), R_(i−1), R_(i+1), k_(i), s_(i), T_(i), U_(i), sid, g^(d_i), σ_(i) ²)

If (k_(i), s_(i), T_(i), g^(d_i) , σ_(i) ²) is not successfully verified, the authentication information verification unit 104 stops the key exchange algorithm. The authentication information verification unit 104 continues the key exchange algorithm only when (k_(i), s_(i), T_(i), g_(d_i), σ_(i) ²) is successfully verified.

2. The authentication information verification unit 104 of the key exchange server device 100 acquires (k_(i), s_(i), T_(i), g_(d_1), σ_(i) ²) from the key exchange device 200-1 of the user u₁, who is a representative user, via the key exchange algorithm unit 103 and verifies (k_(i), s_(i), T_(i), g^(d_1), σ_(i) ²) by the verification algorithm Ver by the following formula.

Ver_(mk_(i) ^(j−1))(R_(i), c_(i), R_(i−1), R_(i+1), k_(i), s_(i), T_(i), U_(i), sid, g^(d_i), σ_(i) ²)

If (k_(i), s_(i), T_(i), g^(d_i), σ_(i) ²) is not successfully verified, the authentication information verification unit 104 stops the key exchange algorithm. The authentication information verification unit 104 continues the key exchange algorithm only when (k_(i), s_(i), T_(i), g^(d_1), σ_(i) ²) is successfully verified.

3. The key exchange algorithm unit 103 of the key exchange server device 100 generates k_(S)˜ ∈ _(R){0, 1}*, k_(S)˜′ ∈ _(R)Kspace_(κ), K₁˜ ∈ _(R){0, 1}*, and K₁˜′ ∈ _(R)Kspace_(κ) and calculates k_(S)=tPRF(k_(S)˜, k_(S)˜′, st_(s), st′_(s)), K₁=tPRF(K₁˜, K₁˜′, st_(s), st′_(s)), and k′=(xor_(2≤i≤n) k_(i)) xor k_(s).

4. The shared secret key sharing unit 106 obtains e_(i) by e˜_(i) ∈ _(R){0, 1}^(k), e˜_(i)′ ∈ _(R)Kspace_(κ), and e_(i)=tPRF(e˜_(i) , e˜_(i)′, st_(i), st′_(i)), stores (e˜_(i), e˜_(i)′) in the unillustrated storage ESK_(s), and creates g^(e_i). Furthermore, the shared secret key sharing unit 106 creates g^(d_ie_i) using g^(d_i) received from each key exchange device 200-i and the created g^(e_i)and creates mk_(i) ¹←MGen(g^(d_ie_i)) using the algorithm MGen that generates a MAC key. The shared secret key sharing unit 106 stores mk_(i) ¹ (where i=1, 2, . . . , n) in the shared secret key storage 102 as a shared secret key and deletes mk_(i) ⁰.

5. The key exchange algorithm unit 103 of the key exchange server device 100 calculates T_(i)′=(xor_(i≤j≤i−1) T_(j)) for the key exchange device 200-i (where i ∈ [2, n]).

6. The authentication information addition unit 105 of the key exchange server device 100 calculates a signature σ_(i) ² for the key exchange device 200-i (where i ∈ [2, n]) using the signature algorithm Tag by the following formula.

σ_(i) ²=Tag_(mk_(i) ^(j−1))(R_(i), c_(i), R_(i−1), R_(i+1), k_(i), s_(i), T_(i), U_(i), sid, c₁, k′, T_(i)′, T′, g^(e_1))

Furthermore, the authentication information addition unit 105 transmits (c₁, k′, sid, T′_(i), T′, g^(e_1), σ_(i) ²) to the key exchange device 200-i (where i ∈ [2, n]) via the key exchange algorithm unit 103.

7. The authentication information addition unit 105 of the key exchange server device 100 calculates a signature σ_(i) ² for the key exchange device 200-1 of the user u₁, who is a representative user, using the signature algorithm Tag by the following formula.

σ_(i) ²=Tag_(mk_(i) ^(j−1))(R₁, c₁, R_(n), R₂, T₁, T′, U₁, sid, k′, g^(e_1))

Furthermore, the authentication information addition unit 105 transmits (k′, g^(e_1), σ₁ ²) to the key exchange device 200-1 via the key exchange algorithm unit 103.

(Session Key Generation and Post Computation)

1. The authentication information verification unit 204 of the key exchange device 200-i (where i ∈ [2, n]) acquires (c₁, k′, sid, T′₁, T′, g^(e_1), σ_(i) ²) from the key exchange server device 100 via the key exchange algorithm unit 203 and verifies (c₁, k′, sid, T′_(i), T′, g^(e_1), σ₁ ²) by the verification algorithm Ver by the following formula.

Ver_(mk_(i) ^(j−1))(R_(i), c_(i), R_(i−1), R_(i+i), k_(i), s_(i), T_(i), U_(i), sid, c₁, k′, T_(i)′, T′, g^(e_1), σ₁ ²)

If (c₁, k′, sid, T′_(i), T′, g^(e_1), σ_(i) ²) is not successfully verified, the authentication information verification unit 204 stops the key exchange algorithm. The authentication information verification unit 204 continues the key exchange algorithm only when (c₁, k′, sid, T′_(i), T′, g^(e_1), σ₁ ²) is successfully verified.

2. The key exchange algorithm unit 203 of the key exchange device 200-i calculates K₁ ⁽¹⁾=T′_(i) xor K_(i) ⁽¹⁾ and k₁∥s₁=T′ xor K₁ ⁽¹⁾ and calculates K₁=F′(sid, k′ xor k₁).

Furthermore, the key exchange algorithm unit 203 obtains a session key SK by SK=F″(sid, K₁).

3. The key exchange algorithm unit 203 of the key exchange device 200-i (where i ∈ [2, n]) stores sid, H_(i) ⁽¹⁾=R_(i−1) ^(r_i), H_(i) ^((r))=R_(i−1) ^(r_i), r=F′″(sid, K₁) xor F′″(sid, K₂) in an unillustrated storage state_(i).

Furthermore, the shared secret key sharing unit 206 creates using g^(e_1)received from the key exchange server device 100 via the key exchange algorithm unit 203 and g^(d_1) created in Round2 for Users and creates mk_(i) ¹←MGen(g^(d_ie_i)) using the algorithm MGen that generates a MAC key. The shared secret key sharing unit 206 stores mk_(i) ¹ (where i=1, 2, . . . , n) in the shared secret key storage 202 as a shared secret key and deletes mk_(i) ⁰.

4. The key exchange algorithm unit 203 of the key exchange device 200-1 of the user u₁, who is a representative user, acquires (k′, g^(e_1), σ₁ ²) from the key exchange server device 100 and verifies (k′, g^(e_1), σ₁ ²) by the verification algorithm Ver by the following formula.

Ver_(mk₁ ^(j−1))(R₁, c₁, R_(n), R₂, T₁, T′, U₁, sid, k′, g^(e_1), σ₁ ²)

If (k′, g^(e_1), σ₁ ²) is not successfully verified, the key exchange algorithm unit 203 stops the key exchange algorithm. The key exchange algorithm unit 203 continues the key exchange algorithm only when (k′, g^(e_1), σ₁ ²) is successfully verified.

5. The key exchange algorithm unit 203 of the key exchange device 200-1 calculates K₁=F′(sid, k′ xor k₁). Furthermore, the key exchange algorithm unit 203 obtains a session key SK by SK=F″(sid, K₁).

6. The key exchange algorithm unit 203 of the key exchange device 200-1 stores sid, H₁ ⁽¹⁾=R_(n) ^(r_i), H₁ ^((r))=R₂ ^(r_i), and r=F′″(sid, K₁) xor F′″(sid, K₂) in the unillustrated storage state

Furthermore, the shared secret key sharing unit 206 creates g^(d_ie_i) using g^(e_i) received from the key exchange server device 100 via the key exchange algorithm unit 203 and g^(d_i) created in Round2 for Users and creates mk_(i) ¹←MGen(g^(d_ie_i)) using the algorithm MGen that generates a MAC key. The shared secret key sharing unit 206 stores mk_(i) ¹ (where i=1, 2, . . . , n) in the shared secret key storage 202 as a shared secret key and deletes mk_(i) ⁰.

<Effects>

This configuration makes it possible to obtain the same effects as those of the first embodiment. In addition, it is possible to achieve a higher level of security by updating a shared secret key.

<Modifications>

In the present embodiment, a shared secret key is obtained as mk_(i) ⁰←MGen(g^(a_ib_i)) and mk_(i) ¹←MGen(g^(d_ie_i)); a shared secret key may be obtained as seed←TCR(g^(a_ib_i)), mk_(i) ⁰←MGen(seed), seedTCR←(g^(d_ie_i)), and mk_(i) ¹←MGen(seed).

In the present embodiment, the shared secret key mk_(i) ¹ has been described; a shared secret key mk_(i) ^(j) may be updated in each session j. At the time of an update, it is possible to use, not only a previous shared secret key mk_(i) ^(j−1), but also an earlier shared secret key mk_(i) ^(k) (0<k<j). The value of k only has to be identified in some way in advance between a certain device and another device between which a key exchange is performed.

<Point of a Fourth Embodiment>

A difference from the third embodiment will be mainly described.

In a fourth embodiment, the shared secret key update scheme is adopted.

However, unlike the third embodiment, as an update of a shared secret key, instead of performing a DH key update each time, a shared secret key and related information in a previous session are input to a pseudo-random function as input and an output value is used as an updated shared secret key.

It is to be noted that, in the fourth embodiment, related information is assumed to be a session key shared in the relevant session.

Fourth Embodiment

The third embodiment and the fourth embodiment differ in the processing details in (Round2 for Users), (Round2 for Server), and (Session Key Generation and Post Computation). Differences will be mainly described. (Round2 for Users) and (Round2 for Server) are respectively the same as (Round2 for Users) and (Round2 for Server) of the second embodiment.

In (Session Key Generation and Post Computation), the following processing is performed. It is assumed that mk_(i) ⁰ has been exchanged between the key exchange server device 100 and the key exchange device 200-i by performing the same initial shared secret key sharing step as that of the third embodiment.

(Session Key Generation and Post Computation)

1. The authentication information verification unit 204 of the key exchange device 200-i (where i ∈ [2, n]) acquires (c₁, k′, sid, T′_(i), T′, σ_(i) ²) from the key exchange server device 100 via the key exchange algorithm unit 203 and verifies (c₁, k′, sid, T′_(i), T′, σ_(i) ²) by the verification algorithm Ver by the following formula.

Ver_(mk_(i) ^(j−1))(R_(i), c_(i), R_(i−1), R_(i+1), k_(i), s_(i), T_(i), U_(i), sid, c₁, k′, T₁′, T′, σ_(i) ²)

If (c₁, k′, sid, T′₁, T′, σ_(i) ²) is not successfully verified, the authentication information verification unit 204 stops the key exchange algorithm. The authentication information verification unit 204 continues the key exchange algorithm only when (c₁, k′, sid, T′ _(i), T′, σ_(i) ²) is successfully verified.

2. The key exchange algorithm unit 203 of the key exchange device 200-i calculates K₁ ⁽¹⁾=T′_(i) xor K_(i) ⁽¹⁾ and k₁∥s₁=T′ xor K₁ ⁽¹⁾ and calculates K₁=F′(sid, k′ xor k₁).

Furthermore, the key exchange algorithm unit 203 obtains a session key SK by SK=F′(sid, K₁).

3. The key exchange algorithm unit 203 of the key exchange device 200-i (where i ∈ [2, n]) stores sid, H_(i) ⁽¹⁾=R_(i−1) ^(r_i), H_(i) ^((r))=R_(i+1) ^(r_i), and r=F′″(sid, K₁) xor F′″(sid, K₂) in an unillustrated storage state_(i).

Furthermore, the shared secret key sharing unit 206 inputs SK and mk_(i) ⁰ to a pseudo-random function PRF via the key exchange algorithm unit 203 and creates mk_(i) ¹←PRF(SK, mk_(i) ⁰). The shared secret key sharing unit 206 stores mk_(i) ¹ (where i=1, 2, . . . , n) in the shared secret key storage 202 as a shared secret key and deletes mk_(i) ⁰.

4. The key exchange algorithm unit 203 of a key exchange device 200-1 of a user u₁, who is a representative user, acquires (k′, σ₁ ²) from the key exchange server device 100 and verifies (k′, σ₁ ²) by the verification algorithm Ver by the following formula.

Ver_(mk_(i) ^(j−1))(R₁, c₁, R_(n), R₂, T₁, T′, U₁, sid, k′, σ₁ ²)

If (k′, σ₁ ²) is not successfully verified, the key exchange algorithm unit 203 stops the key exchange algorithm. The key exchange algorithm unit 203 continues the key exchange algorithm only when (k′, σ₁ ²) is successfully verified.

5. The key exchange algorithm unit 203 of the key exchange device 200-1 calculates K₁=F′(sid, k′ xor k₁). Furthermore, the key exchange algorithm unit 203 obtains a session key SK by SK=F″(sid, K₁).

6. The key exchange algorithm unit 203 of the key exchange device 200-1 stores sid, H₁ ⁽¹⁾=R_(n) ^(r_i), H₁ ^((r))=R₂ ^(r_i), and r=F′″(sid, K₁) xor F′″(sid, K₂) in an unillustrated storage state_(i).

Furthermore, the shared secret key sharing unit 206 inputs SK and mk_(i) ⁰ to the pseudo-random function PRF via the key exchange algorithm unit 203 and creates mk_(i) ¹←PRF(SK,)mk_(i) ⁰). The shared secret key sharing unit 206 stores mk_(i) ¹ (where i=1, 2, . . . , n) in the shared secret key storage 202 as a shared secret key and deletes mk_(i) ⁰.

After the above processing, in accordance with the above-described algorithm, every time Dist, Join, Leave, or Update is performed again, mk_(i) ^(v)←PRF(SK, mk_(i) ^(v−1)) is performed in the (Session Key Generation and Post Computation) phase using a session key SK^(v) (v ∈ N is assumed to be the number of times a key exchange is performed) to be shared when Dist, Join, Leave, or Update is performed, and an update of a shared secret key is performed.

<Effects>

This configuration makes it possible to obtain the same effects as those of the third embodiment.

<Other Modifications>

The present invention is not limited to the above embodiments and modifications. For example, the above-described various kinds of processing may be executed, in addition to being executed in chronological order in accordance with the descriptions, in parallel or individually depending on the processing power of a device that executes the processing or when necessary. In addition, changes may be made as appropriate without departing from the spirit of the present invention.

<Program and Recording Medium>

Further, various types of processing functions in the devices described in the above embodiments and modifications may be implemented on a computer. In that case, the processing details of the functions to be contained in each device are written by a program. With this program executed on the computer, various types of processing functions in the above-described devices are implemented on the computer.

This program in which the processing details are written can be recorded in a computer-readable recording medium. The computer-readable recording medium may be any medium such as a magnetic recording device, an optical disk, a magneto-optical recording medium, and a semiconductor memory.

Distribution of this program is implemented by sales, transfer, rental, and other transactions of a portable recording medium such as a DVD and a CD-ROM on which the program is recorded, for example. Furthermore, this program may be distributed by storing the program in a storage device of a server computer and transferring the program from the server computer to other computers via a network.

A computer which executes such program first stores the program recorded in a portable recording medium or transferred from a server computer once in a storage thereof, for example. When the processing is performed, the computer reads out the program stored in the storage thereof and performs processing in accordance with the program thus read out. As another execution form of this program, the computer may directly read out the program from a portable recording medium and perform processing in accordance with the program. Furthermore, each time the program is transferred to the computer from the server computer, the computer may sequentially perform processing in accordance with the received program Alternatively, a configuration may be adopted in which the transfer of a program to the computer from the server computer is not performed and the above-described processing is executed by so-called application service provider (ASP)-type service by which the processing functions are implemented only by an instruction for execution thereof and result acquisition. It should be noted that the program includes information which is provided for processing performed by electronic calculation equipment and which is equivalent to a program (such as data which is not a direct instruction to the computer but has a property specifying the processing performed by the computer).

Moreover, the devices are assumed to be configured with a predetermined program executed on a computer. However, at least part of these processing details may be realized in a hardware manner. 

1. A key exchange device comprising: on an assumption that i≠s, j is the number of times a key exchange is performed, and k is any one of integers greater than or equal to 0 and less than j, a shared secret key storage in which shared secret information mk_(i) ^(k) which is information different from a secret key of the key exchange device is stored; an authentication information addition unit that generates authentication information σ_(i), by which authentication is performed and falsification is detected, for key exchange information e_(i), which is output to an outside, by using the shared secret information mk_(i) ^(k); and an authentication information verification unit that receives key exchange information e_(s) and authentication information σ_(s) corresponding to the key exchange information e_(s) from the outside, verifies the authentication information σ_(s) using the shared secret information mk_(i) ^(k), and, if the authentication information σ_(s) is not successfully verified, stops a key exchange, wherein the shared secret information mk_(i) ^(k) is a value that is used in a generation process in a key exchange.
 2. The key exchange device according to claim 1, comprising: a storage in which a secret key of the key exchange device is stored; and a shared secret key sharing unit that obtains shared secret information mk_(i) ^(j) using related information x, which is generated in a course of a key exchange, the secret key, and the shared secret information mk_(i) ^(k).
 3. The key exchange device according to claim 1 or 2, wherein the shared secret information is a MAC key or an AES key, and when receiving the key exchange information e_(s) from the outside and outputting the key exchange information e_(i) to the outside, the key exchange device performs processing based on a KY protocol.
 4. A key exchange system comprising: a key exchange server device; and n key exchange devices i, wherein on an assumption that i≠s, i=1, 2, . . . , n, j is the number of times a key exchange is performed, and k is any one of integers greater than or equal to 0 and less than j, each key exchange device i includes a shared secret key storage in which shared secret information mk_(i) ^(k) which is information different from a secret key of the key exchange device i is stored, an authentication information addition unit that generates authentication information σ_(i), by which authentication is performed and falsification is detected, for key exchange information e_(i), which is output to an outside, by using the shared secret information mk_(i) ^(k), and an authentication information verification unit that receives key exchange information e_(s_i) and authentication information σ_(s_i) corresponding to the key exchange information e_(s_i) from the outside, verifies the authentication information σ_(s_i) using the shared secret information mk_(i) ^(k), and, if the authentication information σ_(s_i) is not successfully verified, stops a key exchange, and the key exchange server device includes a second shared secret key storage in which shared secret information mk_(i) ^(k), . . . , mk_(n) ^(k) which is information different from a secret key of the key exchange server device is stored, a second authentication information addition unit that generates authentication information σ_(s_1), . . . , σ_(s_n), by which authentication is performed and falsification is detected, for key exchange information e_(s_1), . . . , e_(s_n), which is output to the outside, by using the shared secret information mk_(i) ^(k), . . . , mk_(n) ^(k), and a second authentication information verification unit that receives key exchange information e₁, . . . , e_(n) and authentication information σ₁, . . . , σ_(n) corresponding to the key exchange information e₁, . . . , e_(n) from the outside, verifies the authentication information σ₁, . . . , σ_(n) using the shared secret information mk₁ ^(k), . . . , mk_(n) ^(k), and, if certain authentication information is not successfully verified, stops a key exchange which is performed between the key exchange server device and a key exchange device whose authentication information has not been successfully verified.
 5. The key exchange system according to claim 4, wherein the shared secret information is a MAC key or an AES key, and when receiving the key exchange information e₁, . . . , e_(n) from the outside and outputting the key exchange information e_(s_1), . . . , e_(s_n) to the outside, the key exchange system performs processing based on a KY protocol.
 6. A key exchange method that uses a key exchange device, on an assumption that i≠s, j is the number of times a key exchange is performed, k is any one of integers greater than or equal to 0 and less than j, and, in a shared secret key storage of the key exchange device, shared secret information mk_(i) ^(k) which is information different from a secret key of the key exchange device is stored, the key exchange method comprising: an authentication information addition step in which the key exchange device generates authentication information σ_(i), by which authentication is performed and falsification is detected, for key exchange information which is output to an outside, by using the shared secret information mk_(i) ^(k); and an authentication information verification step in which the key exchange device receives key exchange information e_(s) and authentication information σ_(s) corresponding to the key exchange information e_(s) from the outside, verifies the authentication information σ_(s) using the shared secret information mk_(i) ^(k), and, if the authentication information σ_(s) is not successfully verified, stops a key exchange.
 7. A key exchange method that uses a key exchange server device and n key exchange devices i, on an assumption that i≠s, i=1, 2, . . . , n, j is the number of times a key exchange is performed, k is any one of integers greater than or equal to 0 and less than j, in a shared secret key storage of each key exchange device i, shared secret information mk_(i) ^(k) which is information different from a secret key of the key exchange device i is stored, and, in a shared secret key storage of the key exchange server device, shared secret information mk₁ ^(k), . . . , mk_(n) ^(k) which is information different from a secret key of the key exchange server device is stored, the key exchange method comprising: an initial shared secret key sharing step in which the key exchange server device and the n key exchange devices i share the shared secret information mk_(i) ^(k); an authentication information addition step in which the key exchange device i generates authentication information σ_(i), by which authentication is performed and falsification is detected, for key exchange information e_(i), which is output to an outside, by using the shared secret information mk_(i) ^(k); a second authentication information verification step in which the key exchange server device receives key exchange information e₁, . . . , e_(n) and authentication information σ₁, . . . , σ_(n) corresponding to the key exchange information e₁, . . . , e_(n) from the outside, verifies the authentication information σ₁, . . . , σ_(n) using the shared secret information mk_(i) ^(k), . . . , mk_(n) ^(k), and, if certain authentication information is not successfully verified, stops a key exchange which is performed between the key exchange server device and a key exchange device whose authentication information has not been successfully verified; a second authentication information addition step in which the key exchange server device generates authentication information σ_(s_1), . . . , σ_(s_n), by which authentication is performed and falsification is detected, for key exchange information e_(s_1), . . . , e_(s_n), which is output to the outside, by using the shared secret information mk_(i) ^(k), . . . , mk_(n) ^(k); and an authentication information verification step in which the key exchange device i receives key exchange information e_(s i) and authentication information σ_(s i) corresponding to the key exchange information e_(s_i) from the outside, verifies the authentication information σ_(s_i) using the shared secret information mk_(i) ^(k), and, if the authentication information σ_(s_i) is not successfully verified, stops a key exchange.
 8. A key exchange program for making a computer function as the key exchange device according to claim 1 or
 2. 9. A key exchange program for making a computer function as the key exchange device according to claim
 3. 